Jump to content
NeoBeum

Windows Hardware Lab Kit

Recommended Posts

I'm in the middle of updating my dev tools and remembered that there were two cab files flagged as 'Trojan.FakeMS' on 25/06/2018.

So from the date, I think this may have been the 1803 HLK Download packages using the HLKSetup.exe. This wasn't from mu_windows_10_hardware_lab_kit_version_1803_updated_march_2018_arm32_arm64_x64_x86_dvd_12064286.iso.

Though, out of interest, I am downloading that iso again just to see if the cabinet files are present.

The two files flagged in the 'Installers' directory are:

1f39792e6be0d2fa858e6696a60070c7.cab

e68d05a40f5c0cc7bcc2f1f58607ea8a.cab

 

I will post another report once the 1809 and 1803 HLK have finished downloading on my end and I get a chance to scan and upload a sample to virustotal. (Just posting this now - as I've already delayed 9 months and I will forget about it again if I don't do this now)

 

MBAM-1803-HLK.PNG

Share this post


Link to post
Share on other sites

Hi,

Given these are scans from last year, mind to rescan again and let me know if these are still detected as the same?

This since this should have been fixed for months already.

Thanks!

Share this post


Link to post
Share on other sites
42 minutes ago, miekiemoes said:

Hi,

Given these are scans from last year, mind to rescan again and let me know if these are still detected as the same?

This since this should have been fixed for months already.

Thanks!

The newly downloaded iso for 1803 have come back positive.

The cabinet files found on mu_windows_10_hardware_lab_kit_version_1803_updated_march_2018_arm32_arm64_x64_x86_dvd_12064286.iso

 

Only one cabinet file for the 1809 HLK also scan positive for 'Trojan.FakeMS'

1f39792e6be0d2fa858e6696a60070c7.cab

 

VirusTotal is still processing the files... although I think the process has crashed as MBAM has frozen the files as Firefox is trying to upload

 

 

MBAM-2019-1803HLK.PNG

MBAM-2019-1809HLK.PNG

Share this post


Link to post
Share on other sites
Posted (edited)

Please post the virustotal links when they are done processing. Can you also export the reports and copy and paste them here. It shows more information then the screenshot does. Thanks!

 

 

Edited by shadowwar

Share this post


Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 30/03/2019
Scan Time: 22:36
Log File: 5077ee36-52e4-11e9-864d-1c872ce2247f.json

-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.563
Update Package Version: 1.0.9924
Licence: Premium

-System Information-
OS: Windows 10 (Build 17763.379)
CPU: x64
File System: NTFS
User: NB-G751JY\NeoBeum

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 117956
Threats Detected: 2
Threats Quarantined: 0
Time Elapsed: 2 min, 33 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
Trojan.FakeMS, C:\USERS\NEOBEUM\APPDATA\ROAMING\Microsoft\Windows\Recent\1f39792e6be0d2fa858e6696a60070c7.cab.lnk, No Action By User, [725], [54561],1.0.9924
Trojan.FakeMS, E:\WINDOWS\1809\HLK\INSTALLERS\1F39792E6BE0D2FA858E6696A60070C7.CAB, No Action By User, [725], [54561],1.0.9924

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 30/03/2019
Scan Time: 22:26
Log File: e55d90ca-52e2-11e9-b515-1c872ce2247f.json

-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.563
Update Package Version: 1.0.9924
Licence: Premium

-System Information-
OS: Windows 10 (Build 17763.379)
CPU: x64
File System: NTFS
User: NB-G751JY\NeoBeum

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 117949
Threats Detected: 2
Threats Quarantined: 0
Time Elapsed: 2 min, 42 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
Trojan.FakeMS, F:\INSTALLERS\1F39792E6BE0D2FA858E6696A60070C7.CAB, No Action By User, [725], [54561],1.0.9924
Trojan.FakeMS, F:\INSTALLERS\E68D05A40F5C0CC7BCC2F1F58607EA8A.CAB, No Action By User, [725], [54561],1.0.9924

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

Share this post


Link to post
Share on other sites

VirusTotal has been stuck on 100% since I started typing the post... the original 2nd scan post... so has OPSWAT

 

1809 - 1f39792e6be0d2fa858e6696a60070c7.cab

Kaspersky VirusDesk

Scan result
no threats detected
File size
15.50 MB
File type
ARC/CAB
Scan date
Mar 30 2019 22:52:10
Databases release date
Mar 30 2019 11:44:42 UTC
MD5
c92bde8bb0ec9b2bab32ae2d6d688a53
SHA1
4453a985f595eb14ece1a6130519a55591cb83ac
SHA256
d5fe479b0e151302e89486449666ad2b2ad9bf8d4d0be9411dfa11bf79a192da
 
 
 

1803 - 1f39792e6be0d2fa858e6696a60070c7.cab

Kaspersky VirusDesk

Scan result

no threats detected
File size
13.32 MB
File type
ARC/CAB
Scan date
Mar 30 2019 22:56:01
Databases release date
Mar 30 2019 11:44:42 UTC
MD5
16bce742fe227b4bae17318df0a433a4
SHA1
942a6b891f091a72e059a1c8ffdd1b3a709ae75b
SHA256
6eb8a7f7e6b1e57eef1c879c3aa9fa56a090578c69930c4a84a42d2efa2de911

Share this post


Link to post
Share on other sites

1803 - e68d05a40f5c0cc7bcc2f1f58607ea8a.cab

Scan result
no threats detected
File size
8.31 MB
File type
ARC/CAB
Scan date
Mar 30 2019 23:01:06
Databases release date
Mar 30 2019 11:44:42 UTC
MD5
3d3c4aafb876d42906bcbc6bc4042ae4
SHA1
7e1e40bef0bee09a7c9d3dbcd5db8f2c3bdde369
SHA256
968f04811d404c2a06728d7fa6b4d29def1d941659cc70dfc0518415be56eb71

Share this post


Link to post
Share on other sites

Hi,

Thanks.

This helps. Verified as a false positive, so detection will be removed in next database update.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.